Hello render,
I have a staging app, with a secret file .env in it’s env tab.
It has a dockerfile with a stanza like in https://render-web.onrender.com/docs/docker-secrets:
RUN --mount=type=secret,id=_env,dst=/etc/secrets/.env source /etc/secrets/.env && do_stuff
I have two problems with it:
a) The secret file is actually present in my running container…
From http shell:
/app $ ls -laF /etc/secrets
total 4
drwxrwxrwt 3 root root 100 Feb 3 15:45 ./
drwxr-xr-x 1 root root 4096 Feb 3 15:45 ../
drwxr-xr-x 2 root root 60 Feb 3 15:45 ..2022_02_03_15_45_32.762024175/
lrwxrwxrwx 1 root root 31 Feb 3 15:45 ..data -> ..2022_02_03_15_45_32.762024175/
lrwxrwxrwx 1 root root 11 Feb 3 15:45 .env -> ..data/.env
b) The doc is confusing
Then, add
--mount=type=secret,id=FILENAME,dst=/etc/secrets/FILENAMEto your runRUNinstructions, replacingFILENAMEwith the name of your secret file. If your filename contains non-alphanumeric characters, replace them with_for theid=part.
If the file is actually present in container then we can just remove the --mount option and not pretend it is not there…
What I think is
Given I have .env file in docker build context
And I have in my dockerfile
RUN --mount=type=secret,id=.env dostuff
Then
docker build --secret id=.env .
will make /run/secrets/.env available to dostuff command.
Why is there an _ hack?
Why is there an dst=/etc/secrets/.env option?
Did I miss something?
Cheers!